| IMPORTANT! |
|---|
As of May 17, 2020, python-vipaccess stopped working for provisioning new Symantec VIP Access tokens (which was its raison d'être). |
| As of May 27, 2020, it's working again. |
| It might stop working again. and we might not be able to get it to work again (see #39) |
Note: Your password cannot be more than 26 characters for you to use 2FA in general. eTrade makes you enter your 2FA code appened to your password to login and limits the length of password input to 32 characters, thus further restricting the maximum length of your actual password.
pip is already installed if you are using Python 2 >=2.7.9 or Python 3 >=3.4 downloaded from python.org or if you are working in a Virtual Environment created by virtualenv or pyvenv
Source: https://pip.pypa.io/en/stable/installing/
# Install latest release from PyPI
$ pip3 install python-vipaccess
# Install latest development version from GitHub
$ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
Source: https://github.com/dlenski/python-vipaccess
Run the following command:
vipaccess provision -p -t VSMT
The output will look something like this:
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
otpauth://totp/VIP%20Access:VSMT71412959?secret=WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN&digits=6&algorithm=SHA1&issuer=Symantec&period=30
This credential expires on this date: 2023-09-16T15:22:12.213Z
You will need the ID to register this credential: VSMT71412959
You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:
oathtool -b --totp WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN # output one code
oathtool -v -b --totp WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN # ... with extra information
Find your eTrade entry in 1Password and edit it. Under an existing or new section, create a text field for Credential ID with the value
VSMT71412959
and a one-time-password field with the value
otpauth://totp/VIP%20Access:VSMT71412959?secret=WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN&digits=6&algorithm=SHA1&issuer=Symantec&period=30**
Your entry should look similar to the following before saving:
If you are using a different authenticator tool/app, you can also generate a QR code to scan using qrencode:
brew install qrencode
qrencode -t UTF8 'otpauth://totp/VIP%20Access:VSMT71412959?secret=WR7UYWEG34C7IMIP6CZ7PXWORITEUBGN&digits=6&algorithm=SHA1&issuer=Symantec&period=30'
You can use the direct link https://us.etrade.com/e/t/accounts/mfaactivatetoken?FirstTime=YES&tokenkind=mobile or follow the steps below:
- Login to eTrade
- Click on the little profile icon in the top-right
- Click on "Security Settings"
- Click on "Manage two-factor authentication"
- Click on "Add authenticator"
- Enter your Credential ID
- Copy the TOTP code from 1Password
- Provide a description such as "1Password" so you can differentiate this credential from others you might have.
In an incognito window (or other browser, device), attempt to login to eTrade. Remember that you need to enter your password and append the current TOTP code. If everything works then you are done! Potential problems include an expired code, leaving out any of the query params in the OTP uri, and your password being more than 26 characters.
If you are using 1Password synced to the cloud in some manner, then a backup device isn't as important since you ideally can always regain access to your vault in an emergency. If you are using 1Password standalone (no syncing) or you use some other password manager that does not have backup access of its own, then registering another device might be good to maintain access to your account if you lose the primary credentials. A backup device could be another credential generated through this process, or gasp use the Symantec app like they expect.
This is awesome! Thanks for sharing this.